EEI Business Continuity. Threat Scenario Project (TSP) April 4, EEI Threat Scenario Project

Transcription

1 EEI Business Continuity Conference Threat Scenario (TSP) April 4, 2012 EEI Threat Scenario 1

2 Background EEI, working with a group of CIOs and Subject Matter Experts, conducted a survey with member companies to identify the electricity sector s top 10 threats EEI contracted with The Chertoff Group to assist with the effort. 2

3 EEI Member Survey Results Top 10 Threats Insider threat (assumes malicious intent) Advanced Persistent Threats (unknown to defender) Human Failure (no malicious intent) Loss of Situational Awareness Attacks Designed to Damage Equipment or Threaten Safety (e.g. Stuxnet, Aurora or follow on variants) Compromise of Commonly Used Systems/Hardware Disruption of Energy or Generation Management System Models Information Integrity (accuracy and/or completeness of information used to make operational decisions) Third Party Support (Supply Chain Threats, Vendor Management) Compromise of Smart Grid /AMI Infrastructure 3

4 Approach to Threat Identification The threat scenarios are events that are High Impact/Low Frequency. This project is synchronized with the NERC Critical Infrastructure Strategic Roadmap. The likelihood of these attacks is a function of the intent, capability, and motivation of each adversary in addition to the extent tof mitigation for each vulnerability they seek to exploit. 4

5 Categories of Mitigation Actions Tactical Resilience can be best achieved by employing a combination of the following mitigation actions: Preparedness: Actions that involve a combination of planning, resources, training, exercising, and organizing to build, sustain, and improve operational capabilities for a wide range of potential incidents. Prevention: Actions to avoid an incident or to intervene to stop an incident from occurring. It involves applying intelligence and other information to a range of countermeasures aimed at deterring, preempting, interdicting, or disrupting illegal or harmful activity. Response: Immediate actions to save lives, protect property, and meet basic operational needs during an incident. Response also includes the execution of emergency plans and actions to support short term term recovery. Recovery: The development, coordination, and execution of serviceand site restoration plans; evaluation of the incident to identify lessons learned; post incident id reporting; and development of initiatives to mitigate the effects of future incidents. Modified from FEMA National Response Framework 5

6 Categories of Mitigation Actions Strategic Categories of Mitigation Actions Strategic Seek more robust information sharing: with federal entities to provide utilities greater intelligence and warning of ongoing or anticipated attack methods and targets through long term, sustainable utility to utility threat information exchanges Stimulate industry wide development and application of security standards for information and operational systems Engage control system vendors to develop enhanced security features in their products given the electric sector s need for interconnectivity between operational and business networks Conduct a large scale (multi regional, national, or international) table top exercise modeling a catastrophic incident/attack that is designed to reveal any gaps between the roles and expectations of government and industry Develop a shared and universal "Power Grid Risk and Resilience" risk assessment methodology that utilities can use to assess the role each utility plays in maintaining the stability and security of the shared power grid Please note: Because these Strategic Actions have general applicability, they are not aligned against the following individual threat scenarios. 6

7 EEI Threa 7at Scenario Threat Scenario Summary

8 XII. Mitigation Actions Common to Cyber Threats PHASES Preparedness Prevention Response MITIGATION ACTIONS Identify critical cyber assets that support reliable operation of the utility s enterprise Create and maintain security management controls to protect the system s critical cyber assets Create and maintain a cybersecurity and awareness training program Create and maintain a physical and virtual security perimeter around critical cyber assets Establish technical and procedural controls that enforce access authentication and accountability (including strong password protection mechanisms) Use information sharing resources to monitor credible sources of vulnerabilities and threats Develop and test incident response plans Perform testing to ensure changes to the asset baseline do not impact cybersecurity controls Enforce a process that only enables those ports and services required for normal and emergency ops Use appropriate anti virus and other malware prevention tools (including signature updates) Implement automated tools and process controls that provide for the continuous monitoring of situational awareness indicators Periodically undertake a cyber vulnerability assessment Maintain an active patch management program Actively monitor situational awareness indicators to assess successful cyber intrusions Implement emergency response plans and use an incident management system Recovery Implement disaster recovery and business continuity plans 8

9 DESCRIPT TION XII. Threat Scenario 1 Coordinated Cyber Attack on Bulk Electric System Infrastructure A coordinated campaign exploiting operational (process control) technology and networks for access that results in the simultaneous or near simultaneous targeting of multiple key systems, software, and data on a utility s networked infrastructure or the controlling systems of the electrical grid. Although initiated primarily through cyber pathways, the attack may be designed to damage or destroy physical systems. In addition to interrupting the effective operation of the electric grid, this attack could intercept control signals that block or alter information resulting in loss of situational awareness. Likely Target Types Commonly used systems/hardware: Control center communications Generation breaker relays Substation communication processors EMS or GMS software ICS/DCS/SCADA Smart Grid components Advanced Metering Infrastructure Potential Threat Actors State sponsored (and surrogates) Sophisticated terrorist organizations (and surrogates) Mercenary criminal organizations Elite hacker organizations Disgruntled insiders Co opted third party maintenance providers Specific Attack Paths APT Attack Paths (see slide 19) Via communication links Via connected WAN Via rogue devices or portable media Via telecommunication network Via wireless network Via remote connection Physical access to system Likely Impact of Successful Attack A successful campaign of coordinated cyber attacks could result in prolonged blackouts in one or more regions due to: loss of control and/or situational awareness; disruption of communications and industrial control systems; compromise ofics/dcs/scada models and loss ofinformation integrity oravailability; breakdown ofcritical processes (e.g. configuration management, change management, incident response); loss of communication between EMS/GMS to RTUs; and physical destruction of critical equipment. In addition to lost productivity costs, future costs for re fortifying cyber systems and restoring public confidence in a secure and resilient power grid could be significant. 9

10 PHASES Preparedness Prevention Response XII. Threat Scenario Coordinated Cyber Attack MITIGATION ACTIONS Mitigation Actions Common to all Cyber Threats Inspect common protocols for known vulnerabilities Ensure that field devices have physical and communications security protection Develop and test incident response plans Isolate operational and business networks to the greatest extent possible Harden the operational network to close backdoors and vulnerabilities in the network perimeter Ensure that links between operational network and control center(s) are via dedicated communications paths (not a public network or Internet) Monitor operations network to detect malicious activity and suspect traffic Minimize unprotected remote accessto terminal end points and telemetry in the operational network Use wireless communications technology selectively and with appropriate safeguards in the operational network Disable EMS/SCADA control ofall Bulk Electric System Elements Coordinate with neighboring utilities and Reliability Coordinators on data validation points Disable Automated Generator Control and consider islanding strategies Implement emergency response plans and use an incident management system Recovery Implement disaster recovery and business continuity plans 10

11 Evaluating Mitigation Actions Against Threats EEI Resiliency Self Assessment What is your utility s state of resiliency against the major threats facing the electric sector? The following threat scenarios explore high consequence, low frequency events and the recommended practices used to mitigate them. Each threat scenario is designed to define the significant threats faced by the electric sector. Each threat scenario is followed by recommended Mitigation Actions to help identify areas for improving the resiliency of the company and the electric grid. This review is intended to provide the basis for a dialogue between CEO, CIO, and other company personnel. How to use this self assessment: 1. The group chosen to engage in this dialogue should review each threat scenario and associated mitigation actions. 2. Discuss which of the mitigation actions your company does, and does not employ. 3. Identify gaps that leave your company at risk and identify specific actions that should be taken to become more resilient in the face of each of these threat scenarios. 11

12 EEI Threat Scenario 12 Timetable

13 Questions Mark Engels Director Enterprise Technology Security and Compliance Dominion Resources Services 13